d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
Size

340KB
MD5

758b274ef374e88dde853065014f595b
SHA1

9ef6a663d02365ce550fb8fce254e0d3d5acb71b
SHA256

d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03
SHA512

a9ec5ec1950f380eb4a4240035280d90b76f042836cbcb45c4839b667edb00d7a5daea6f4bcb3321162e66cdf1c87f2d459a7e4acb15fe29e79d29cc8bcb2c6e
SSDEEP

3072:xftffjmNOCSjGoLpWM6VbBVjxyZ2wuhttQyrftffjmNOCSjGoLpWM6VbBVjxyZ2N:5VfjmNAXq1V599VfjmNAXq1V59a0Jal

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	startup.bat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1804	Logo1_.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2712	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1976	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2152	startup.bat

Loads dropped DLL 10 IoCs

pid	Process
2032	cmd.exe
2032	cmd.exe
2908	cmd.exe
2908	cmd.exe
2476	cmd.exe
2476	cmd.exe
1932	cmd.exe
1932	cmd.exe
1976	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1976	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000016bfb-78.dat	upx
behavioral1/memory/1932-80-0x0000000000200000-0x000000000022F000-memory.dmp	upx
behavioral1/memory/2152-96-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1976-99-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2152-100-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\log.ini	startup.bat
File created	C:\Windows\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\uninstall\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1976	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2152	startup.bat

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2032	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	28
PID 2860 wrote to memory of 2032	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	28
PID 2860 wrote to memory of 2032	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	28
PID 2860 wrote to memory of 2032	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	28
PID 2860 wrote to memory of 1804	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	29
PID 2860 wrote to memory of 1804	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	29
PID 2860 wrote to memory of 1804	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	29
PID 2860 wrote to memory of 1804	2860	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	29
PID 1804 wrote to memory of 2172	1804	Logo1_.exe	30
PID 1804 wrote to memory of 2172	1804	Logo1_.exe	30
PID 1804 wrote to memory of 2172	1804	Logo1_.exe	30
PID 1804 wrote to memory of 2172	1804	Logo1_.exe	30
PID 2172 wrote to memory of 3052	2172	net.exe	33
PID 2172 wrote to memory of 3052	2172	net.exe	33
PID 2172 wrote to memory of 3052	2172	net.exe	33
PID 2172 wrote to memory of 3052	2172	net.exe	33
PID 2032 wrote to memory of 2552	2032	cmd.exe	34
PID 2032 wrote to memory of 2552	2032	cmd.exe	34
PID 2032 wrote to memory of 2552	2032	cmd.exe	34
PID 2032 wrote to memory of 2552	2032	cmd.exe	34
PID 2552 wrote to memory of 2640	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	35
PID 2552 wrote to memory of 2640	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	35
PID 2552 wrote to memory of 2640	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	35
PID 2552 wrote to memory of 2640	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	35
PID 2640 wrote to memory of 2560	2640	net.exe	37
PID 2640 wrote to memory of 2560	2640	net.exe	37
PID 2640 wrote to memory of 2560	2640	net.exe	37
PID 2640 wrote to memory of 2560	2640	net.exe	37
PID 2552 wrote to memory of 2908	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	38
PID 2552 wrote to memory of 2908	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	38
PID 2552 wrote to memory of 2908	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	38
PID 2552 wrote to memory of 2908	2552	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	38
PID 2908 wrote to memory of 2712	2908	cmd.exe	40
PID 2908 wrote to memory of 2712	2908	cmd.exe	40
PID 2908 wrote to memory of 2712	2908	cmd.exe	40
PID 2908 wrote to memory of 2712	2908	cmd.exe	40
PID 2712 wrote to memory of 2476	2712	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	41
PID 2712 wrote to memory of 2476	2712	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	41
PID 2712 wrote to memory of 2476	2712	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	41
PID 2712 wrote to memory of 2476	2712	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	41
PID 2476 wrote to memory of 2828	2476	cmd.exe	43
PID 2476 wrote to memory of 2828	2476	cmd.exe	43
PID 2476 wrote to memory of 2828	2476	cmd.exe	43
PID 2476 wrote to memory of 2828	2476	cmd.exe	43
PID 2828 wrote to memory of 3044	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	44
PID 2828 wrote to memory of 3044	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	44
PID 2828 wrote to memory of 3044	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	44
PID 2828 wrote to memory of 3044	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	44
PID 3044 wrote to memory of 1052	3044	net.exe	46
PID 3044 wrote to memory of 1052	3044	net.exe	46
PID 3044 wrote to memory of 1052	3044	net.exe	46
PID 3044 wrote to memory of 1052	3044	net.exe	46
PID 1804 wrote to memory of 1212	1804	Logo1_.exe	21
PID 1804 wrote to memory of 1212	1804	Logo1_.exe	21
PID 2828 wrote to memory of 1932	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	47
PID 2828 wrote to memory of 1932	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	47
PID 2828 wrote to memory of 1932	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	47
PID 2828 wrote to memory of 1932	2828	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	47
PID 1932 wrote to memory of 1976	1932	cmd.exe	49
PID 1932 wrote to memory of 1976	1932	cmd.exe	49
PID 1932 wrote to memory of 1976	1932	cmd.exe	49
PID 1932 wrote to memory of 1976	1932	cmd.exe	49
PID 1976 wrote to memory of 2152	1976	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	50
PID 1976 wrote to memory of 2152	1976	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
  "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a142C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
      "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        6⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a190C.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a197A.bat
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        10⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1DDD.bat
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat
        
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat"
        11⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2152
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
587a94faadffb3e35b9c22cd224cccb8

SHA1
46b314a568e1d480d115d2a24d57bcc78524f93a

SHA256
1a81c27481f6f3380f6928259edffa8e9c18db92c2f574655553ab490d05a9cc

SHA512
b1635bb433d7ef8adff5b2c53a2e51ab105f542e0767f579c7849e901748d74898742f2d0223954ce101603aa617282ebf87932d472ac475f2f21a1135a2c4ca

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a142C.bat

Filesize
722B

MD5
cfee32b0a0d54649417ee47992c0ae46

SHA1
bbc9a5c2f8c9ad0c0e6f36ad520095cbf16484b9

SHA256
1bc1b53d9f6ea55ce6bdccd33fddac7594b476ae29b4a25cb82cee31c3d6da4e

SHA512
ade862e0530f69915dfc6a240efeaebf2a76116528e28c66964a553caa70881b58e8c0a038a42d16a514ef2858b7663bab18e7d5ea1de809e521dee5122e036b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a190C.bat

Filesize
722B

MD5
0ce95db59f2cce65052293469eb60929

SHA1
1d437bbe82c7b9df5de78fe33758371a9c1ff4ef

SHA256
63939a6dd6213eb41002872dfeec43a6b27ecb85fcb6cc58647941c3c3a5956f

SHA512
65762d2b759d9b4c09088a9f01a874ff32f331dfbd8a154f5cd7d040b5028d23be217a4d6c4d4074a803c325aebd892f288f36e2f20a25975100dce2f246558f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a197A.bat

Filesize
722B

MD5
42e5140eaa85d20d939aa350b91d0a1f

SHA1
ac5ce77034a7ec2a7aa1564115858ae966f7dfff

SHA256
6305796afb43544a3de04a79e176a0fa68da5c51fc8b98b11f636eccc2a1e126

SHA512
ce6b901977bdb57015b7a0cfd7d72cbc0f04a1d705bef3eb3a500c96d2b02f3025122b62229f28839477e9f1e7031a6f0f1264dbb8857bf8979dd02dc18c2f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1DDD.bat

Filesize
722B

MD5
c6a55f3b0e409f34b4eb738e24b0419b

SHA1
e154f818ae7ad97c2816c9237aadac0c58c520e4

SHA256
3f9066035075d47fa1a4f8146f76cc9bfb14ebafcf029f0a33665d479814a900

SHA512
1b8bc4d17b41454610e5a42a32eac98ae46832342aaa9910716fed7b77ab9627836cf5c91b14ee6285abbfc7fd84bf7d365aea51a7d9139028866bec385a33e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
220KB

MD5
1bc4ecc0423d2bac2486d6e88d637589

SHA1
ca7fad601acf04bec1fe46be02690c575f840513

SHA256
804178b82ada2733358985d9f469cd047df364edb63ea313d00f8bcd86e8721b

SHA512
df92a239d75fb4bed65593c3e947bac24edfb5ac94e383cff802a5a690c14c6f2f3babf1a2103efcbde22088c8fc13e3eaf67499b5286c12a784e75209319d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
101KB

MD5
de817f8996a5f524523514779f909a76

SHA1
4674880202435822341ba492843c2dcb126d5e50

SHA256
a21a9356c7a473988efbb5e8785047cb0fa93ac5ad093d429ef119fbb33edf6d

SHA512
8c02e93b54baee8b7bea96a80cd209f38aef6ff38b06d65d1ce04a709ebfec7b26126874aba611e893f87ae2ed719ebef05aad5f1077e68bbabe39a3048929aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
194KB

MD5
69c3a9d6ac33a93f2002ee38c2a46434

SHA1
aa1e3497f5151fb76811665750956d4aaea7c3c8

SHA256
4ca1a8c14d03e78442789e84bf33091e3c74a84cf5bd6af84b1732eacf2a2dd9

SHA512
32f16e695ab7fd57e60a47d0d5976da19e944107001d41a37ef5f9a42029ec5b212c82ce763811629144c0545dcf31f8a3a7d46f1c021a7fa8b1099e2e58e5cd

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
5ebae18d758a2785c25800cf9f602426

SHA1
729c110aa5f4a19f6e932b399adb68373f788870

SHA256
3c8634b7cfad1704299882ee1d8cc86fdec88831103959d2589b2a62e33deb63

SHA512
0b5196e7c7d10a5f3bd504e649fd16a714948339e9401efa562492a852e9f46502688c52c03c64155652aacbce0229cd6a2babcff7863ee30103f8ece9ba9f9a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
C:\Windows\uninstall\rundl132.exe

Filesize
93KB

MD5
ee708472eb382dddfd8001ae980d7709

SHA1
20ac19a71e2ce5d5b222abd839212765dce86b81

SHA256
6e8abcda1d86afdd7475e56054fb1d7e55f176debee67da7b62e37b120435617

SHA512
a76f9694cedcec781158c256c845aecc85b9414987f466b3838f3f4631b13cb1dacdd2b70dbf6f5f33a895b194704fe3997d5d1e3787666f3670ca980c549310

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
ac7ef6d7fcd23c228941057dc1a38427

SHA1
aec0bc6ea51cea8edb23dd9ea7be81f113f42493

SHA256
fd687092833ff2ed530a5ba6d4cebe3c1e5f6c318da1610320743cc7e073a740

SHA512
6cf8518e3448d5f19775ac462fab31aac662f0386ed2aeae85b2b5591ee3092f25527beb74592f1c1e4a20f6488277b429c9f46e783937c4bb9f7439ffb6c4f3

Download Submit
\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Filesize
313KB

MD5
b464d0150ec177b7b8c6cca974dc8f94

SHA1
621716cd9503afea0e3e34741e5c0ad1dccfea38

SHA256
4bc55ad96505ddb421679d1867c91c44e5547b0f688824adf94d1b92caba5b0d

SHA512
f2f79fbdc58c016779d2330fcc7ab923c169239ebd58b8a4fbf7f917f021b6bf715a24043b94b13f408119d3638602ee4889edcaae6bb94f5eaa3e687faa2a66

Download Submit
memory/1212-64-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1804-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-2653-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-1920-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-1215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-3380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-80-0x0000000000200000-0x000000000022F000-memory.dmp

Filesize
188KB

Download
memory/1932-82-0x0000000000200000-0x000000000022F000-memory.dmp

Filesize
188KB

Download
memory/1976-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-95-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/2152-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-76-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-16-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2908-43-0x00000000001F0000-0x0000000000224000-memory.dmp

Filesize
208KB

Download